Threat Description

July killer

Details

Summary

The W97M/JulyKiller.A is a rather unremarkable macro virus for Word 97. The virus
is obviously of Far Eastern origin - probably Chinese. It is a native W97M virus but,
like many other such Chinese viruses, most of it is upconverted WordBasic code - obviously
its author was not familiar with Visual Basic for Applications - the programming language
of Office 97 applications.

Removal

Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.

Technical Details

The virus consists of a single VBA5 module named "a". The module contains 4 subroutines
with identical contents - AutoOpen, AutoClose, AutoNew and AutoExec. Therefore, the
virus receives control each time a document is opened, closed, created, or when Word
is started.

When it receives control, the first thing the virus does is to examine all add-ins
(accessible via Tools/Templates and Add-Ins of Word 97's menus) and unload all of
those, whose name is not Autoexec.dot. The virus then changes the path of Word's Startup
folder (accessible via Tools/Options/File Locations of the menus of Word 97) to C:\.
Then it turns off the built-in macro virus protection of Word 97.

If the virus is running from a document containing the word "Autoexec" anywhere in
its name, the virus checks whether any of the opened documents or the global template
is infected. (This is determined by checking for the presence of a module named "a".)
If neither of them is, the virus opens the document C:\Autoexec.dot (in a way which
prevents it from appearing on the list of Most Recently Used files on Word's menu)
and copies itself from that document to all opened documents and templates, the VBA
projects in which are not protected.

The virus then checks whether a file named "Autoexec.dot" is present in the root directory
of drive C:. If it is not, a new template is created, it is infected, and is saved
in a file with this name. Again, the virus takes care to prevent the name of this
file from appearing on the MRU list.

The next action of the virus is to inspect all opened documents (except the one it
is running from) and templates. If their VBA projects are not protected, it looks
there for modules named AutoOpen, AutoClose, AutoNew and FileSave and removes them.
This might be a measure against another, competing virus, or against some unknown
anti-virus product. The virus then proceeds to infect these documents and templates.

Next, the virus performs some key and menu redirections. The key shortcuts Alt-F8
(default for Tools/Macro/Macros) and Alt-F11 (default for Tools/Macro/Visual Basic
Editor) are redirected to perform File/Save As (both of them). Instead, Alt-F1 and
Alt-F2 are set to perform their actions (start the ToolsMacro dialog and VBA Editor
respectively) - a kind of "backdoor", so that the virus author (and those "in-the-know")
could still use them.

The virus also rebinds the Tools/Customize, Tools/Options, Tools/Templates and Add-Ins,
Tools/Macro/Macros and Tools/Macro/Visual Basic Editor menu items to execute its AutoClose
subroutine. However, the virus accesses these menu items by name - and it uses the
Chinese names for them - so, this rebinding will be successful only under the Chinese
language version of Word 97. Finally, the virus rebinds all items on the "Visual Basic"
command bar to its AutoClose subroutine and proceeds to save all opened documents.

The payload of the virus activates when the system date indicates the the current
month is July. If this is the case, the virus displays an input message box, asking
the user something in Chinese. I can't read Chinese, so I don't know what the message
says. If the user accepts the proposed default answer (also in Chinese) by clicking
on the OK button, the virus displays the message (this time in broken English) "You
are wise,please choose this later again,critically!" and exits.

If the user presses the Cancel button (or enters anything but the default response),
the virus keeps asking the same question two more times. Then it "loses patience",
displays the message

Stop it!you are so incurable to lose 3 chances! Now,god will punish you...

and modifies the user's C:\AUTOEXEC.BAT file, appending to it the line

deltree/y c:\

Usually this means that on the next reboot all files on drive C: will be removed.

Finally, the virus searches all running tasks for one containing the string "Visual
Basic" in its name (usually - the VBA Editor) and hides it - obviously, in an attempt
to prevent the user from debugging it.

In general, we do not think that this virus presents any serious threat - and it certainly
does not deserve the media attention it has received. It is simply just yet another
boring, stupid, badly written virus, created by somebody with more time on his hands
than brain in his head. It is slow and obvious and has no significant chances of surviving
in the wild. Of course, our anti-virus products have been updated to recognize, identify
and disinfect the virus (they already could detect it with our macro virus heuristics).
The virus has been given undeserved attention by the media. Such scare tactics are,
at best, a questionable practice of some anti-virus producers to get public exposure.
In the long run, it harms both the anti-virus industry and the users and only serves
to boost the virus writer's ego unnecessarily.

[Dr. Vesselin Bontchev, FRISK Software International]

SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis